shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-03-25 20:10:23 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ea2ea68df08bcfabb59bf0012120ffec4901d21
linux/drivers/mtd
History
Dan Carpenter 457376c6fb mtdchar: fix integer overflow in read/write ioctls 
commit e4185bed738da755b191aa3f2e16e8b48450e1b8 upstream.

The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function.  We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.

Use check_add_overflow() to fix this bug.

Fixes: 095bb6e44e ("mtdchar: add MEMREAD ioctl")
Fixes: 6420ac0af9 ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-12-01 11:41:39 +01:00
..
chips
mtd: cfi_cmdset_0001: Byte swap OTP info
2023-11-28 17:20:06 +00:00
devices
mtd: powernv: Add check devm_kasprintf() returned value
2024-10-04 16:29:07 +02:00
hyperbus
mtd: hyperbus: hbmc-am654: fix an OF node reference leak
2025-02-08 09:52:24 +01:00
lpddr
mtd: lpddr2_nvm: Convert to devm_platform_ioremap_resource()
2023-07-12 14:08:26 +02:00
maps
mtd: maps: physmap-core: fix flash size larger than 32-bit
2024-03-26 18:19:52 -04:00
nand
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
2025-12-01 11:41:39 +01:00
parsers
mtd: partitions: redboot: Added conversion of operands to a larger type
2024-07-05 09:33:51 +02:00
spi-nor
mtd: spi-nor: Fix spi_nor_try_unlock_all()
2025-08-28 16:28:36 +02:00
tests
mtd: make mtd_test.c a separate module
2024-08-03 08:54:00 +02:00
ubi
ubi: Add a check for ubi_num
2025-02-17 09:40:27 +01:00
ftl.c
mtd: fix possible integer overflow in erase_xfer()
2025-08-15 12:08:51 +02:00
inftlcore.c
mtd: inftlcore: Add error check for inftl_read_oob()
2025-04-25 10:45:29 +02:00
inftlmount.c
mtd: inftl: remove unnecessary oom message
2021-06-11 20:44:21 +02:00
Kconfig
mtdblock: Add comment about UBI block devices
2021-08-06 22:05:13 +02:00
Makefile
mtd: Support kmsg dumper based on pstore/blk
2020-05-31 19:49:01 -07:00
mtd_blkdevs.c
mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
2024-01-25 15:35:15 -08:00
mtdblock_ro.c
mtdblock: make warning messages ratelimited
2023-07-27 17:16:14 +02:00
mtdblock.c
mtdblock: make warning messages ratelimited
2023-07-27 17:16:14 +02:00
mtdchar.c
mtdchar: fix integer overflow in read/write ioctls
2025-12-01 11:41:39 +01:00
mtdconcat.c
mtd: fix repeated word in comment
2022-09-20 10:40:30 +02:00
mtdcore.c
mtd: core: Report error if first mtd_otp_size() call fails in mtd_otp_nvmem_add()
2024-06-12 11:11:58 +02:00
mtdcore.h
mtd: use refcount to prevent corruption
2023-07-12 13:30:08 +02:00
mtdoops.c
mtd: mtdoops: panic caused mtdoops to call mtdoops_erase function immediately
2022-11-07 17:08:00 +01:00
mtdpart.c
mtd: use refcount to prevent corruption
2023-07-12 13:30:08 +02:00
mtdpstore.c
mtd: Replace kcalloc() with devm_kcalloc()
2025-04-25 10:45:25 +02:00
mtdsuper.c
mtd: key superblock by device number
2023-08-31 12:47:15 +02:00
mtdswap.c
mtd: always initialize 'stats' in struct mtd_oob_ops
2022-09-21 10:38:07 +02:00
nftlcore.c
mtd: always initialize 'stats' in struct mtd_oob_ops
2022-09-21 10:38:07 +02:00
nftlmount.c
mtd: nftl: remove unnecessary oom message
2021-06-11 20:43:26 +02:00
rfd_ftl.c
mtd/rfd_ftl: don't cast away the type when calling add_mtd_blktrans_dev
2021-08-23 10:01:06 +02:00
sm_ftl.c
mtd: sm_ftl: Fix typos in comments
2023-06-22 23:00:43 +02:00
sm_ftl.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
ssfdc.c
mtd: always initialize 'stats' in struct mtd_oob_ops
2022-09-21 10:38:07 +02:00